Install the latest OpenSSL

Posted on Posted in Uncategorized

As you may know the latest versions of the software packages are not available in the software repositories. It can take few months for any release upgrade to appear in the repository. Unfortunately in the real world the latest releases never appear in the official repositories of RHEL/CentOS Linux.

In my opinion it is extremely risky to install the packages that were pre-configured by someone else because such packages can contain back-doors or malware.

It can be extremely critical for some websites to have the latest OpenSSL support.

The aim of this article is to describe how to compile and enable the support of the latest OpenSSL for your server.

Unfortunately OpenSSL is being used by many linux packages, this is why it can be installed syste-wide. The daemons will produce errors trying to work with the opennsl libraries with unknown versions. This can lead into complete server crash.

At this point the best option is to locate latest openssl in the ustom folder and enable it for the daemons manually.

It is 14th of May today and the latest OpenSSL versions available are the following:

  • OpenSSL 1.1.0a (new branch)
  • OpenSSL 1.0.1u (for 1.0.1 branch)
  • OpenSSL 1.0.2i (for 1.0.2 branch)

Let's roll: Install required software:
yum install gcc make zlib-devel wget perl-WWW-Curl.x86_64

Download one of the following source packages:
wget -O /usr/local/src/openssl-1.0.1t.tar.gz https://www.openssl.org/source/openssl-1.0.1t.tar.gz
wget -O /usr/local/src/openssl-1.0.1t.tar.gz https://www.openssl.org/source/openssl-1.0.1h.tar.gz

Uncompress it and change into the resulting folder:
tar xf /usr/local/src/openssl-*.tar.gz
cd /usr/local/src/openssl-*

I am going to locate the entire openssl in the following folder this is why I am using it as a prefix:

  • /opt/openssl

./config --prefix=/opt/openssl --openssldir=/opt/openssl/openssl --shared
make depend
make
make install

After this you can specify the /opt/openssl folder as a path to openssl during the compilation to enable it for other software (ex. php, apache, nginx).

The following page can help to build the mod-ssl for Apache:
http://httpd.apache.org/docs/2.0/programs/apxs.html

Leave a Reply

Your email address will not be published. Required fields are marked *